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Abstract. In this paper we study the MOR cryptosystem. We use the 
group of unitriangular matrices over a finite field as the non-abelian 
group in the MOR cryptosystem. We show that a cryptosystem similar 
to the El-Gamal cryptosystem over finite fields can be built using the 
proposed groups and a set of automorphisms of these groups. We also 
show that the security of this proposed MOR cryptosystem is equivalent 
to the El-Gamal cryptosystem over finite fields. 
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1 Introduction 

Most of the public key cryptosystems popular today are built on abelian 
groups. It is natural to try to generalize these cryptosystems to non- 
abelian groups, not only because the current systems are getting old with 
time, but also there is an interesting academic adventure in trying to do 
so. The cryptosystem that we have in mind is the El-Gamal cryptosystem 
[31 Section 2] which is built on the Discrete Logarithm Problem [31 Section 
2]. The discrete logarithm problem can be generalized in different ways, 
to mention just two of them - one was done in f7] and the other is the 
MOR cryptosystem [12] . 

The MOR cryptosystem has attracted a lot of attention and some 
well written papers [4|ll|14j . In this article we propose a new group and 
a subgroup of the group of automorphisms for the MOR cryptosystem. 
Our group is the group of unitriangular matrices over a finite field and the 
automorphisms are the composition of diagonal, inner and central auto- 
morphisms. We show that for this group and subgroup of automorphisms, 
MOR is as secure as the El-Gamal cryptosystem over finite fields. 

There is still a lot of interest in cryptosystems using the discrete log- 
arithm problem in finite fields, for example, the El-Gamal cryptosystem. 



We claim that we had a reasonable amount of success with these groups 
and automorphisms. Though the most desirable consequence of this re- 
search would be no sub- exponential attack on the cryptosystem. 

There is one other shift in our proposed MOR cryptosystem. We are 
using polycyclic groups [131 Chapter 9] for the cryptosystem; computation 
with this class of groups is done differently than with the multiplicative 
group of finite fields. We are yet to understand the consequence of this 
shift, from arithmetic in finite fields to arithmetic in a polycyclic group 
and the use of automorphisms instead of exponentiation. 

It is often expected of the proposer of a new cryptosystem to provide 
parameters and to show that the cryptosystem is semantically secure^. 
The El-Gamal encryption scheme is considered semantically secure |T] and 
so it remains to be seen if the proposed MOR cryptosystem is also seman- 
tically secure. Note that the semantic security of the MOR cryptosystem 
depends on the group used [HI Section 3]. 

We are not yet in a position to provide parameters because the dis- 
crete logarithm problem in the automorphism group, on which the se- 
curity of our cryptosystem depends, is not well studied. Moreover, since 
the best known attack on the proposed MOR cryptosystem is the dis- 
crete logarithm problem in finite fields, hence one can pick parameters 
from any cryptosystem using the discrete logarithm problem, e.g., the 
El-Gamal cryptosystem and use it for the proposed MOR cryptosystem. 
The MOR cryptosystem is a straightforward generalization of the El- 
Gamal cryptosystem, so it is easy to see that MOR is not secure against 
indistinguishability- secure from chosen-ciphertext attack p2, Section 2], 
however ideas similar to the Cramer-Shoup cryptosystem [lj should make 
it achieve any security goal in any attack model. 

2 The MOR cryptosystem 

In this section we discuss the MOR cryptosystem [12] and critique some 
of the points discussed by the authors. There are two different security 
concepts used in [12]. 

i. The discrete logarithm problem in the group of inner automorphisms. 

ii. Membership problem in a finite cyclic group. 

Let us describe the MOR cryptosystem in details. Let G = (71, 72, . . . , 7 S ) 
be a finite non-abelian group. Let 4> g be an inner automorphism of G 

1 For our definition of semantic security see pQ. Briefly stated, a cryptosystem is 
semanticaliy secure if it is secure against a passive eavesdropper. 
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defined by 4> g (x) = g~ 1 xg for all x E G. Then 4>™(x) = g~ m xg m for 
all x E G and m a positive integer. We are working in the group of 
inner automorphisms with the composition of automorphism as the group 
operation. Now suppose Eve wants to set up a public key for herself. Then 
she chooses g and publishes cp g and (f>™. She, however, doesn't publish 
g and g m ; instead she publishes {4>g{li)Yi=i an d {<^(7i)}f=i- Then to 
send a message (plaintext) a E G, Bob computes <f) r g and </>™ r from the 
public information, for a random r E N and then computes </>™ r (a). He 
then sends Eve (<fi r , </>™ r (a)) . As in the El-Gamal cryptosystem Alice, 
knowing m, can compute <fi™ r from <jf and, hence, the inverse (fig~ mr and 
the plaintext a. 

What does the security of this protocol depend on? Firstly, if one can 
solve the discrete logarithm problem in <p g and (j>™ then the protocol is 
broken. On the other hand, since the inner automorphisms are presented 
as the action on generators, it might be difficult to find g from the public 
information {0 s (7i)}f=i- Moreover, (f> g = (f> gz for any z E Z{G) the center 
of the group G, so even if there is an algorithm to find g, that g might 
not be unique. The authors of the MOR cryptosystem uses this fact for 
security as follows: suppose one knows the g from 4> g and then tries to 
determine the g m in (j> g m then by solving the conjugacy problem they will 
come up with g m z. Then they will have to solve the membership problem 
in the cyclic group (g) before they can even try to solve the discrete 
logarithm problem. Of course this attack on the system does not include 
that someone might be able to solve for m from the public informations 
{4> g {^i)Y i=l and {<^ g m (7i)}| = i- Moreover, as shown in [U Theorem 1] there 
is an effective way using only black box group operations to get around 
this membership problem by switching to the discrete logarithm problem 
in G/Z{G). 

The idea behind this scheme seems to be novel and the idea of using 
the membership problem in public key cryptography might have interest- 
ing applications. However, the biggest test for an idea to develop a public 
key protocol is the ability to find groups that produce fast encryption, 
fast decryption and is secure. 

The idea of using automorphisms; where the public information about 
these automorphisms is its action on generators puts severe restrictions 
on the groups useful in this scheme. 

The groups used should have a fast algorithm to express an element as a 
word in generators. Unless every group element is presented as words 
in generators, e.g., polycyclic groups where fast collection algorithms 
are available, this is hard to achieve. 
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What concerns us the most is the use of two different cryptographic prim- 
itives - the discrete logarithm problem and the membership problem si- 
multaneously! It can be argued that two insecure locks do not make one 
secure lock; just get two different person to work on them simultaneously 
or use a meet in the middle attack. The converse of the idea is that one 
secure lock is enough to guard a secret. Stated plainly, the idea of using 
the membership problem and the discrete logarithm problem simultane- 
ously in a protocol is probably not wise. On top of this, since MOR is a 
generalization of the El-Gamal cryptosystem whose security depends on 
the discrete logarithm problem, the computational Diffie-Hellman prob- 
lem and the decision Diffie-Hellman problem [TJ Section 2.3]or [5J Section 
2]; this cryptosystem is not ideally suited to exploit the membership prob- 
lem. This was echoed in [11]. In the definition of the MOR cryptosystem 
in [IT] the whole automorphism group was considered instead of the group 
of inner automorphisms as in [12] , and the requirement that the automor- 
phisms be presented as action on generators was dropped. Following that: 
in this article we won't use the membership problem; we will rely on the 
discrete logarithm problem in the automorphism group for security. 

The basic scheme for a MOR cryptosystem is as follows and is an 
adaptation of [UJ Section 2]: 

Let G be a group and 4> : G — > G be an automorphism. In this paper, 
if we work with automorphisms of G, we work in the automorphism group 
of G, with the group operation being the composition of automorphisms. 



2.1 Description of the MOR cryptosystem 

Alice's keys are as follows: 

Public Key <j) an d (f> m , m <E N. 
Private Key to. 

Encryption 

a To send a message a € G Bob computes (jf and <jf nr for a random 
r E N. 

b The ciphertext is {<p r , (j) mr (a)) . 
Decryption 

a Alice knows to, so if she receives the ciphertext (4> r , (p mr {a)), she com- 
putes (j) mr from <jf and then (j>~ mr and then from (j> mr (a) computes 
a. 
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Alice can compute (j)~ mr two ways; if she has the information necessary 
to find out the order of the automorphism <fi then she can use the identity 
t_1 = (j)- 1 whenever = 1. Also, she can find out the order of some 
subgroup in which <ft belongs and use the same identity. However, the 
smaller the subgroup, more efficient the decryption algorithm. 



3 Proposed group for the MOR cryptosystem 



The non-abelian group we are proposing for the MOR cryptosystem is the 
group of unitriangular matrices over a finite field ¥ q of characteristic p, 
where p is a prime number. The group of unitriangular matrices over ¥ q 
is often denoted by UT(n,q). This group consists of all square matrices 
of dimension n; the diagonal elements are 1 (the multiplicative identity 
of the field) and all entries below the diagonal are (the additive identity 
of the field). The entries above the diagonal can be any element of the 
finite field ¥ q . The group operation is matrix multiplication. An arbitrary 
element g G UT(4, q) looks like, 

/I * # *\ 
1 * * 
00 1 * 

yooo 1/ 

The * denotes a field element. From a simple counting argument it follows 
that UT(n, q) is a Sylow p-subgroup of the general linear group GL(n, q) 
where p is the characteristic of the finite field ¥ q . 

Let &ij for i < j represent the matrix with 1 in the position and 
elsewhere. It is customary to represent g G UT(n,q) as 1 + Yl a ij e ij, 

i<j 

where a%j G ¥ q . Notice that 1 above is the identity matrix. We will abuse 
the notation a little bit and use 1 as the identity of UT(n, q) and ¥ q si- 
multaneously. It should be clear from the context which 1 we are referring 
to. 

There are two fundamental set of relations in UT(n, q) along with 
the relations in the field ¥ q . For (1 + ae^), (1 + be k j) G UT(n, q) where 
a, b G ¥ q they are as follows: 



(1 + aejj)(l + beij) = 1 + (a + b)eij 
[1 + aeij, 1 + be k i] -- 



1 + abeu if j = k, % ^ I 
1 — abe^j if i = I, j ^ k 
1 otherwise 



(1) 
(2) 
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Here [x,y] = x~ 1 y~ 1 xy is the commutator of elements x,y G G for any 
group G. It is well known that the additive group of F g , often written as 
F+, is a 7 dimensional vector space over Z p , where p 1 = q. It follows [151 
Page 455] that the minimal set of generators of UT(n, q) are 1 + <5fcej.j + i, 
k = 1, 2, . . . ,7 and i = 1, 2, . . . , n — 1. The set {61,62, ■ ■ ■ , 6^} is a basis of 
F+ over Z p . The center of UT(n, q) is 1 + &ei jn where /c € F 9 . 

Since UT(n, q) is a finite p-group, it is a finite nilpotent group and a 
polycyclic group [13j Proposition 3.4]. 

Definition 1 (Polycyclic Group). A group G is a polycyclic group if 
there is a finite chain of subgroups G = Gi D G2 D . . . D D G^+i = 1 
such that Gj+i is a normal subgroup of Gi and Gj/Gj+i is cyclic. 

Since in a polycyclic group G, Gi/Gi + \ is cyclic, there is an aj in Gi 
such that the image of in Gi/Gi + \ generates Gi/Gi + \. It is easy to see 
that {ai, a 2 , . . . , a/j} generates the group G and is known as the polycyclic 
generating set. Since we are dealing with finite groups, \Gi + \ : G{\ = mi 
is finite. It follows that (see [13, Section 9.4]) every word in G can be ex- 
pressed uniquely as a^a^ 2 ■ ■ ■ a^ k where < ay < mj for j = 1, 2, . . . , k. 
These words are called collected words. Using a collection algorithm [13, 
Section 9.4] any word in {a\,...,ak} can be expressed as a collected 
word. So, in this group computing the inverse and the product is fast and 
easy, i.e., there is a fast implementation of polycyclic groups and their 
arithmetic [21 Polycyclic Package]. 

Let us talk about a polycyclic generating set of UT{n,p); for an arbi- 
trary finite field ¥ q this can be similarly done. For sake of simplicity we 
take n = 4. Let 01 = 1 + ei 2 , a 2 = 1 + e 2 3, a 3 = 1 + e 34 , a 4 = 1 + ei 3 , 
as = 1 + e 2 4 and = 1 + ei4. It is shown in [131 Section 9.4, Example 
4.1] that {ai,a 2 , . . . ,a^} forms a polycyclic generating set for £/T(4, Z). 
It is easy to see that this is also a polycyclic generating set for UT(A,p) 
for an arbitrary prime p. The polycyclic generating set for UT(n,p) can 
be similarly found for an arbitrary n. 

3.1 The diagonal automorphism 

Let D be an diagonal matrix, i.e., a matrix of dimension n over the field 
¥ q , and the only non-zero elements are in the diagonals. We will repre- 
sent a diagonal matrix D as [w\ , w 2 , , . . . , w n ], where Wi are non-zero 
elements of the field K and are the diagonal elements of the matrix D. It 
is easy to see that if w\ = iy 2 = ■ ■ ■ = w n then the diagonal matrix is a 
scalar matrix. Weir [151 Section 4] introduced the diagonal automorphisms 
on UT(n,q). Let D be a diagonal matrix given by [w\,W2, ■ ■ ■ ,w n \; then 
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from matrix multiplication it follows that D xD for an x € UT(n, q) 
where x = 1 + ^2 a^eij is given by 1 + Yl,( w 7 la ij w j) e ij- Since the scalar 

i<j i<j 

matrices have the same diagonal elements, the group of diagonal auto- 
morphisms has order (q — l) n . 

These diagonal automorphisms are not inner automorphisms because 
the diagonal matrices are not unitriangular. We will now study the MOR 
cryptosystem using these diagonal automorphisms. It is easy to see that if 
D = [wi,W2, ■ ■ ■ ,w n ] and 4>(x) = D~ 1 xD for x € UT(n,q) then </> m (x) = 
D~ m xD m where D m = [w™, w™, . . . , w™] where m G N. So, if Alice makes 
D and D m public then finding the m is solving the discrete logarithm 
problem in the multiplicative group F* of the finite field ¥ q . 

If the plaintext is a 6 UT(n,q), then computing cj) m {a) is easy and 
can be done easily from the formula above. So, using these diagonal auto- 
morphisms one can have a secure protocol similar to that of the El-Gamal 
cryptosystem. Clearly, there is no advantage for using this protocol over 
El-Gamal; the security depends on the discrete logarithm problem in the 
multiplicative group of the finite fields; but one has to do more work than 
the El-Gamal cryptosystem for encryption and decryption. 

If we take the group UT(2, q) of 2 x 2 unitriangular matrix over the 
finite field F q , then for a x G we can consider a diagonal automorphism 
presented on the generator of this group as 

* := (o 1) " (o i) and the mth power r ■= (J 1) " (o T) • 

If we use the MOR protocol as in Section [2.11 with these automorphisms, 
then it is identical to the El-Gamal cryptosystem over a finite field. 

So, we claim that the MOR cryptosystem as in Section 12.11 with the 
diagonal automorphisms is computationally and semantically secure and 
can be made indistinguishability-secure from chosen-ciphertext attack us- 
ing ideas similar to the Cramer-Shoup cryptosystem [1]. Notice that it is 
essential for the above mentioned use, that the Wi are all different from 
one another; otherwise valuable information about the plaintext will be 
leaked. 

3.2 The inner automorphism 

Inner automorphisms are the easiest of the automorphisms to study; they 
are defined as I g (x) = g~ 1 xg for all x € UT(n,q) and g € UT(n,q). It is 
well known that the group of inner automorphisms 1(G) for an arbitrary 
group G is a normal subgroup of the automorphism group of G. It is also 
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known that 1(G) is isomorphic to G/Z(G). From which it follows that 
the order of the group of inner automorphisms of the group UT(n, q) is 

n 2 -ra — 2 

q 2 . We will now see what happens if we use the inner automorphisms 
for the MOR cryptosystem. 

Let (p = I g as described in the MOR cryptosystem (see Section 12. 1[) . 
Since the conjugacy problem is easy and we are not using the membership 
problem, we can safely assume that g and g m is public. If 

/ 1 an ai3 au\ 

_ 1 023 CL24 

9 ~ 1 a 34 

\0 1 J 

then 

/ 1 ma\2 * * \ 
m _ 1 ma 2 3 * 

3 ~ 1 ma 34 

\0 1 / 

where * represents a field element. 

Now the discrete logarithm problem to find m essentially becomes the 
discrete logarithm problem in F+. Since the discrete logarithm problem 
in the additive group of a finite field is known to be easy, we do not 
believe that using only inner automorphisms one can build a secure MOR 
cryptosystem. 

3.3 The central automorphism 

The group of central automorphisms is the group most widely studied 
after the group of inner automorphisms. The reason of its popularity is 
that the group of central automorphisms is the group of centralizers of the 
group of inner automorphisms, i.e., the central automorphisms commute 
with the inner automorphisms and fix the derived subgroup elementwise. 
It can be shown that if ip is a central automorphism of a group G then 
ip(g) = gz g where z g E Z(G) and depends on g. It follows [5] that a 
description of the central automorphism £ r (A) of UT(n,q) is 

Cr(A) : 1 + Or, 

where A is an endomorphism of and r = 1, 2, . . . , n — 1. Now since 
A is an endomorphism and is a 7-dimensional vector space over Z p , 
if \(5i) = bi for i = 1, 2, . . . ,7 then we arrive at [TSJ Page 463] where 
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a description of the central automorphisms for the UT(n, q) is given as 
1 + 5ie r ^ r+ i i— > 1 + Sie r)r+ i + 6jei jn where r = 1, 2, . . . , n — 1, 6j is an 
arbitrary element of ¥ q . This can also be represented as l+<5je rjr . + i i— > (1 + 
<5je rir +i)(l + &iei )n ). So composing this map n times gives us l+8ie r ^ r+ i i— > 
(1 + 5je r . r 4_i)(l + nbiei^n). Notice that if r = l,n — 1 then the central 
automorphisms are inner automorphisms and from this it follows that 
the order of the group of central automorphisms is q^™ -3 ) where p 1 = q 
(see [15, Page 463]). Since the description of the central automorphisms 
depend on A, unlike the inner or the diagonal automorphisms the only 
possible description of a central automorphism is by action on generators 
of the group G. 

So, if we take a central automorphism to use in the MOR cryptosys- 
tem then from the public information the discrete logarithm problem is 
the same as the discrete logarithm problem in F+. The discrete logarithm 
problem in the additive group of a finite field is easy; central automor- 
phisms alone do not provide us with a secure MOR cryptosystem. 

4 A proposed automorphism for the MOR cryptosystem 

Currently the proposed group for the MOR cryptosystem [12] is SL(2, Z p ) x 
Z p . This is a split extension of SL(2, Z p ) by Z p . The automorphisms pro- 
posed are the inner automorphisms. It is shown in |1 1|. Theorem 2] that 
the discrete logarithm problem in the group of inner automorphisms of 
SL(2, Zp) xi Z p is the same as the discrete logarithm problem in SL(2, Z p ). 
In [9] the authors show that the discrete logarithm problem in GL(n,q), 
the general linear group over the finite field ¥ q , is at most as hard as the 
discrete logarithm problem in some finite extension field of ¥ q . Since there 
are sub-exponential attacks on the discrete logarithm problem in finite 
fields such as the index calculus attack, there is every reason (practical 
as well as academic) to look for non-abelian groups and automorphisms 
in these groups in search for a better MOR cryptosystem. 

In [4] the authors developed a central commutator attack; they showed 
that inner automorphisms are not well suited for MOR cryptosystem; 
especially when the group is nilpotent. 

So, it is now clear that if we are using nilpotent groups, (UT(n, q) 
is a finite p-group and hence nilpotent) then we have to look for outer 
automorphisms. The diagonal and the central automorphisms are outer 
automorphisms. On the other hand, as we saw in the last section, diago- 
nal automorphisms do provide us with a secure MOR cryptosystem and 
the only way to represent a central automorphism is its action on gen- 
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erators. The security with diagonal automorphisms turns out to be the 
discrete logarithm problem in the multiplicative group of the finite field, 
and the central and the inner automorphisms from their presentation 
reveals valuable information. 

Now we are in a position to describe and justify the automorphism 
group that we are going to propose for the MOR cryptosystem, it is 

central composed inner composed diagonal automorphism. 

Let us denote by I, V and C the group of inner, diagonal and the central 
automorphisms of UT(n, q) respectively. It is well known that the cen- 
tralizer of a normal subgroup in a group G is normal in G. The subgroup 
X is normal in the automorphism group of UT(n, q) and so is C So, XL is 
a subgroup of the automorphism group of UT(n,q). The diagonal auto- 
morphisms do not commute with the inner automorphisms, the group of 
automorphisms we plan on using are elements of the subgroup (XL) x T>. 
It clearly follows that the subgroup of the above automorphisms have 
order 



We saw earlier that the discrete logarithm problem in the group of 
diagonal automorphisms is at most as secure as the discrete logarithm 
problem in the finite field. 

We were hoping that by composing a diagonal automorphism with the 
inner and central automorphism we might be able to diffuse the public 
information, so that, the reduction to the discrete logarithm problem in 
the finite field becomes impossible. We now show by means of a small 
example that with the best of efforts we are not able to beat the sub- 
exponential attack on finite fields. 

4.1 A small example 

We now explain the MOR cryptosystem with a small example. We used 
[21 Polycyclic Package] for this example, notations are from Section [3l We 
choose n = 4 and q = 1297 where 1297 is a prime. We pick three random 
integers 984, 807 and 452. Then we define a central automorphisms (see 
Section [33]) mapl as 



2 -n-2 

2 x [q — 1) 



n-l 



x g 7(n 3 ) where p 1 = q. 



mapl 
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all other generators remain fixed. Note that a central automorphism fixes 
commutators. Next we pick a random element h :- 



83„462„1202„1209„793^152 



Cli a. 



*a 



-a 



<i L , 



and compute the inner automorphism (see Section 13.2 
h xh corresponding to h. 



map2 



map2 :-- 



., r ,462 r ,1001 

a\ — > aia 4 a 6 

„ . „ „1214„1202 r ,103 

^ v --,835^,88 

a 3 — ► a 3 a 5 a 6 

„ „1202 

(Z4 — > a4dg 

„ „1214 

05 — > a^a 6 
^ a 6 — ► a 6 



Then we take the diagonal automorphism (see Section f3. If) corresponding 
to [624, 155, 538, 126], the diagonal automorphism map3 is 



map3 



«i 

«2 
«3 

a 1 
V «6 



>af 6 

ah 267 
>a| 74 
>af 8 

. „938 
a 5 



Then the automorphism Alice will make public is 
and that is given by 



mapl ■ map2 ■ map3 





. „ 576 ,,972 ,,538 
—r U4 tig 


a 2 — 


, „1267„1055„383„508 

? 1*2 W4 CI5 tig 




„574„1139„558 

-> a 3 a 5 a 6 


04 — 


„878„118 

-> a 4 o 6 


a 5 — 


_. „938„1168 

-> a 5 a 6 


k a 6 — 


-> n 736 



and if Alice chooses her private key to be 65 then 



a65 



Oi 
«2 

04 
a 5 
L a6 



450^1145^618 



O] O 



6 



1263 ^1269^ 1242 „ 1093 



a 



'at 



0,; 



526^708^279 



a? a 



264 ,,1190 
4 a 6 
, 274 „ 836 



6 



7 85 



The automorphisms <^ and 
cryptosystem in Section 12.1 



165 are public, (see description of the MOR 
. Notice that (576) 65 mod 1297 = 450. An 
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observant reader will further notice that from the public information of (f> 
and (/> 65 that if kj is the exponent of chj in 65 (aj) and if kj is the exponent 
of dj in (j>(a,j) for j = 1,2,3 and j = 6, then kj is kj 5 . The reason for 
this is that the inner and the central automorphisms leave the exponent 
of ai, 02,03,06 unchanged in the image as seen in mapl and map2. The 
only thing that changes {ai, 02, 03, a^} is the diagonal automorphism and 

then the change is aj 1— > a - J i+1 for j = 1, 2, 3 and a6 a^ 1 W4 . Then 
composing the map m times gives us aj 1— ► a>j j 3 for j = 1,2,3 and 

j _i \m 
(W, W 4 j 

«6 ^ »6 

This leads us to the best known attack against this cryptosystem. If 
one can solve the discrete logarithm problem in a finite field then he can 
figure out the m from the public information of <j> and <p m as demonstrated 
above. There are sub-exponential algorithms, such as the index calculus 
methods, in finite fields to solve the discrete logarithm problem. 

5 The security of the proposed MOR cryptosystem 

If we assume that MOR using UT(n, q) with proposed automorphisms 
is broken for an arbitrary n, then it is broken in UT(2, q) with diagonal 
automorphisms. The MOR cryptosystem using UT(2, q) is similar to the 
El-Gamal cryptosystem over finite fields (see Section l3.ip . This breaks 
the El-Gamal cryptosystem over finite fields. Conversely, if the El-Gamal 
cryptosystem over finite fields is broken by solving DLP in finite fields 
then one can break the proposed MOR cryptosystem. This is clear from 
the action of the automorphisms on the elements as described before 
and is also clear from the example above. So, we claim that in terms of 
security, the proposed MOR cryptosystem is equivalent to the El-Gamal 
cryptosystem over finite fields. 

6 Conclusion 

In this paper we studied a new non-abelian finite group and a group 
of outer automorphisms for the MOR cryptosystem. The computational 
security of any proposed cryptosystem is always an open question. This is 
the first time that the group of unitriangular matrices and automorphisms 
over it has been proposed for public key cryptography; more work needs 
to be done to assure one of the security of the said system. 
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This article clearly shows that the MOR cryptosystem has a lot to 
offer to the public key cryptography. We showed that with the right kind 
of groups, the MOR cryptosystem can offer a secure cryptosystem. 
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